• Save

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Wim Remes SOURCE Boston 2011

on

  • 1,685 views

Wim Remes SOURCE Boston 2011 Prezo

Wim Remes SOURCE Boston 2011 Prezo
Among the blind, the squinter rules.
Security visualization in the field.

@wimremes on twitter
wremes-at-gmail-dot-com

Statistics

Views

Total Views
1,685
Views on SlideShare
1,682
Embed Views
3

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 3

http://www.secdocs.org 2
http://paper.li 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Wim Remes SOURCE Boston 2011 Wim Remes SOURCE Boston 2011 Presentation Transcript

    • Among the blind, the squinter rules. Security visualization in the field
    • About me Wim Remes .Ernst and Young Belgium (ITRA FSO) .Incident Response/Analysis .Security Monitoring (SIEM) .Security Management .Eurotrash podcast .InfosecMentors .Brucon @wimremes on twitter wremes-at-gmail-dot-com
    • DisclaimerThe opinions and ideasexpressed in this talkare my own and are notendorsed by anycorporate entityor church.
    • Agenda 1. please your audience 2. tools can [save|kill] your day 3. visualization hall of fail 4. tips & tricks 5. Let’s get to work
    • -1-please your audience
    • Changing the tune keeps people engagedpicture by tochis :http://www.flickr.com/photos/tochis/
    • who’s that for ? Management Technical Historical Comparative (Near) Real Time Supporting Decisions More complex & Business Objectives Facilitating the job Clear & Concise Actionable! Actionable ! 42
    • you’re the designer
    • Zen master of data visualization Edward Tufte data can be beautiful! data should be beautiful!
    • Dashboard design guru Stephen Few “The sad thing about dancing bearware is that most people are quite satisfied with the lumbering beast.” Alan Cooper, 1999, the inmates are running the asylum.
    • -2-Tools can [save|kill] your day
    • What tools can I use ? cool kids use this (not!)
    • What tools can I use ? - Desktop - Server
    • Security tools will help ... PS : export to CSV works well ... try it for a 5000+ host network ;)
    • credit where credit is due ...
    • this is going in the right direction...
    • Open source it is then ... grep sed awk perl ... http://www.secviz.org kudos to @zrlram
    • -3-visualization hall of fail
    • PIE, it’s what’s in your face
    • whoa, I take the biggest piece !
    • sometimes however, they rock ...
    • to explain simple stuff ;-)
    • “if bullet points are the obviouskillers, pie charts are shurikens”
    • Even the best can fail...
    • 3D ?
    • failing in style ...
    • playing hide and seek ?
    • we have to raise the bar or maybe not ...
    • Sometimes it’s easy ... a 21st century bar(r) chart
    • -4-tips & tricks
    • sparklines (aka datawords)
    • Infographs 5 6 7 8 9 10 11 12 13 courtesy of ZoneAlarm (by Checkpoint)
    • choose your chart wisely http://www.flickr.com/photos/amit-agarwal/3196386402/
    • Get data from external sources - osvdb.org - datalossdb.org - various industry reports - Verizon DBIR - EY GISS - Trustwave, McAfee, Symantec, ... - virustotal.com - cvedetails.com context creates clarity
    • 让我们作的更好 (let’s make things better) Vulnerabilities by Severity Level 5 3D? 4 3 2 1 0 25 50 75 100 compared to ? last year? last month?
    • Messy Dashboards (1/5)
    • Messy Dashboards (2/5) network status
    • Messy Dashboards (3/5) 1500 Events/Second 1125 750 375 0 12:00 12:10 12:20 12:30 12:40 12:50 13:00
    • Messy Dashboards (4/5) Top attackers 10.10.10.10 192.168.10.234 172.30.12.15 8.8.8.8 Top targets 172.16.12.30 172.16.12.15 172.16.12.230 172.16.12.120
    • Messy Dashboards (5/5) Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00
    • server health network status Windows Unix Network1500 Events/Second Major Events1125 worms 750 portscans 375 failed logins 0 FTP 12:00 12:10 12:20 12:30 12:40 12:50 13:00 0 15 30 45 60 Top attackers Top targets 10.10.10.10 172.16.12.30 192.168.10.234 172.16.12.15 172.30.12.15 172.16.12.230 8.8.8.8 172.16.12.120 Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00
    • 3,1415926535897932384626433832
    • Blink...Understand DE CN US NL US US BE Great Lakes KEYWEB TimeNet VolumeDrive EuroAccess RoadRunner ISPSYSTEM-AS Comnet AS
    • Ok, we can still say it with pie NL CN BE DE US
    • -5-let’s get to work
    • Davix | gltail ruby | real time | logs http://www.fudgie.org/ http://dataviz.com.au/blog/Visualizing_VOIP_attacks.html
    • Davix | afterglow credit: David Bernal Michelena http://www.honeynet.org/challenges/2010_5_log_mysteries
    • Burpdot http://un-excogitate.org/
    • Google Charts API http://code.google.com/apis/chart/ http://search.cpan.org/dist/URI-GoogleChart/
    • Google Visualization API
    • Google Visualization APINevada;7526;6/11/10;Theft;Network ServerTexas;600;5/29/10;Theft;Network ServerCalifornia;1000;5/25/10 and 5/26/2010;Other;PaperArizona;5893;5/15/10;Theft;LaptopKansas;1105;5/12/10;Theft;LaptopSouth Carolina;653;5/09/10;Theft;LaptopTexas;4083;5/04/10;Improper Disposal;Paper RecordsMaryland;937;5/03/10;Other;E-mailMichigan;2300;5/02/10;Theft;LaptopNew York;1020;4/30/10;Theft, Unauthorized Access;Laptop, Desktop Computer, ... http://code.google.com/apis/ajax/playground/? type=visualization#tree_map
    • jquery libraries (almost) CC BY-NC 3.0 (To the cloud !)
    • Conclusions - We need data standardization badly - Understand your data - We need to think outside the box - There’s more to visualization than pie charts - There’s tools out there: use them wisely
    • Thank you wremes@gmail.com - @wimremes